[owasp-intrinsic-security] Fwd: Saved Passwords and Clickjacking
jim.manico at aspectsecurity.com
Sun Nov 2 20:42:11 EST 2008
For what it's worth, the current best practice in the banking industry
is to use a tiny chunk of Java or Flash to render the login form to
circumvent browser side credential caching.
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Sent: Thursday, October 30, 2008 12:30 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Fwd: Saved Passwords and
---------- Forwarded message ----------
From: Giorgio Maone <giorgio.maone at gmail.com>
Date: Thu, Oct 30, 2008 at 5:29 PM
Subject: Re: [owasp-intrinsic-security] Saved Passwords and Clickjacking
To: Bil Corry <bil at corry.biz>
The best solution IMHO is replacing auto-fill with a chrome-level UI
element to both fill and submit the form in a single gesture, like
Opera's Wand (ctrl+Enter) button.
On Thu, Oct 30, 2008 at 4:56 PM, Bil Corry <bil at corry.biz> wrote:
Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM:
> I have not heard much on prevention of this type of danger except in
the form of "don't let FF save your passwords!!"
>From the website's perspective, not allowing the browser to save the
username and password is an option. I've see some sites that do allow
the user to opt-in to have the site remember their username, so it will
pre-populate the username, and the user still has to enter their
> I would guess a simple protection might be to not pre-populate form
fields in an <iframe>. For further insurance of not breaking existing
apps, you could say the browser can pre-populate if the <iframe> is from
the same domain.
I think that is the cleanest solution, you'll have to let us know what
other ideas come out of the EU Summit.
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the owasp-intrinsic-security